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UNITED STATES DISTRICT COURT 
FOR THE DISTRICT OF COLUMBIA 


PUBLIC CITIZEN, etal. 

Plaintiffs, 

V. 

ELISABETH DEVOS, Secretary, U.S. 
Department of Education, et al. 

Defendants. 


Civil Action No. l;19-cv-986-RDM 


PLAINTIFFS’ OPPOSITION TO DEFENDANTS’ MOTION TO DISMISS 


Plaintiffs Public Citizen and David Halperin brought this action seeking declaratory and 
injunctive relief against defendants Elisabeth DeVos and the Department of Education 
(collectively, the Department) for blocking Public Citizen’s website, in violation of the Eirst 
Amendment and the Administrative Procedure Act. After plaintiffs moved for a preliminary 
injunction, the Department voluntarily ceased blocking Public Citizen’s website and then moved 
to dismiss the case as moot. Because, as a general rule, a defendant cannot moot a live controversy 
by voluntarily ceasing the conduct that is the subject of the lawsuit, the Department’s motion 
should be denied. 


BACKGROUND 

Plaintiffs brought this action after learning that the Department’s internal and guest Wi-Ei 
networks blocked users’ access to Public Citizen’s website, citizen.org. Users seeking access to 
that website instead received a message that access to “URL: www.citizen.org/” is “in violation of 
your Internet usage policy,” and that Public Citizen’s URL falls within “Category: Advocacy 
Organization.” ECE-l (Compl.) ][][ 14, 16. The complaint sought declaratory and injunctive relief 
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on the grounds that the Department’s aetion bloeking Public Citizen’s website violated the First 
Amendment and the Administrative Procedure Act. Id. 25-35. 

After plaintiffs moved for a preliminary injunction, the Department filed a declaration from 
its Chief Information Security Officer Steven Hernandez. See ECF 16-2 (First Hernandez Decl.). 
The declaration states that the Department had “submitted a request to its vendor to grant access 
to Public Citizen’s website” and that Public Citizen’s website was accessible on the Department’s 
networks as of June 6, 2019. Id. TlTl 4, 5. It also represents that the “Department will not take any 
action to block access to Public Citizen’s website through its internal and guest-WiFi networks,” 
unless the site poses a threat to the Department’s networks. Id. T16. 

In a second declaration submitted with the Department’s motion to dismiss, Mr. Hernandez 
set forth the Department’s explanation of why Public Citizen’s website was blocked. See ECF 19- 
2 (Second Hernandez Decl.). According to Mr. Hernandez, in or about 2017, the Department began 
using a company called Fortinet to meet “cyber security and web filtering service requirements,” 
through a service called FortiGuard Web Filtering. Id.*^5. Mr. Hernandez explains that Fortinet 
uses “proprietary software” to classify web pages into six categories, including “Adult/Mature 
Content.” M ][][ 7, 8 & Exh. 1. The Adult/Mature Content category contains subcategories such as 
“Alternative Beliefs,” “Dating,” “Gambling,” “Nudity and Risque,” “Pornography,” “Sports 
Hunting and War Games,” and “Weapons (Sales),” but also “Abortion” (covering sites with data, 
legal discussion, and other information about abortion), “Sex Education” (covering sites with 
educatonal materials about sex and sexuality), and, relevant here, “Advocacy Organizations.” M; 
Exh. A to Declaration of Nandan M. Josh! (Josh! Deck), attached hereto. According to Eortinet’s 
website, the Advocacy Organizations subcategory includes “organizations that campaign or lobby 
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for a cause by building public awareness, raising support, influeneing public policy, etc.” See Exh. 
A, p.l to Joshi Decl. 

Mr. Hernandez states that the “operation of FortiGuard’s proprietary filtering system” 
plaeed Public Citizen’s website in the Advoeacy Organizations subeategory. Seeond Hernandez 
Deel. T110. The FortiGuard system “allows the customer” to allow, bloek, or take other actions 
with respect to categories and subeategories. Id. 9. The Department, “as a customer,” eleeted to 
bloek the Adult/Mature Content eategory, ineluding all of its subeategories. Id. As a result, the 
Department bloeked websites subeategorized under Advoeaey Organization, ineluding Publie 
Citizen’s website. Id. Tm 9, 10. 

Fortinet provides two ways of overriding its web filtering system. Id.*^\3. The first method 
involves ehanging the eategory to whieh the website is assigned. Id. The seeond method is ealled 
“administrative override or allow bloeked override.” Id. Aceording to Fortinet’s website, this 
seeond override method is “not indefinite”: the “longest that an override can be enabled is for 1 
year less a minute.” Exh. B, p.4 to Joshi Deel. To stop the Department’s bloeking of Publie 
Citizen’s website, Mr. Hernandez states that the Department requested that the Fortinet serviee be 
eonfigured “to override the web filtering that, by operation of the FortiGuard proprietary system, 
had assigned Public Citizen to a bloeked subeategory.” Seeond Hernandez Deel. T1 14. Mr. 
Hernandez does not speeify whieh override method the Department used, but he does not suggest 
that the Department has chosen to stop bloeking the Advoeaey Organization subeategory on its 
internal and Wi-Fi networks. 

ARGUMENT 

“Voluntary diseontinuanee of an alleged illegal aetivity does not operate to remove a ease 
from the ambit of judicial power.” Walling v. Helmerich & Payne, 323 U.S. 37, 43 (1944). Rather, 
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“a defendant elaiming that its voluntary eomplianee moots a ease bears the formidable burden of 
showing that it is absolutely elear the allegedly wrongful behavior eould not reasonably be 
expected to recur.” Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), 528 U.S. 167, 190 
(2000). Here, plaintiffs brought this case to vindicate their First Amendment rights to speak, and 
receive speech, on the Department’s networks on a par with other similarly situated voices. In 
seeking to dismiss this case as moot, the Department does not concede the merits of plaintiffs’ 
claims. Rather, it asserts that “the assignment of Public Citizen’s website to a blocked category 
occurred by operation of the vendor’s propriety system” and “has been overridden as it pertains to 
the Public Citizen website.” ECF 19 (Mot. to Dismiss) 6. The Department’s technical correction 
in response to plaintiffs’ lawsuit is not sufficient to satisfy its “heavy burden” of demonstrating 
mootness. Friends of the Earth, 528 U.S. at 189 (internal quotation marks omitted). 

As an initial matter, the Department’s attempt to lay responsibility for blocking Public 
Citizen’s website on Fortinet downplays the Department’s own actions. Even assuming the 
accuracy of the representation that the Department did not direct Eortinet “to assign Public 
Citizen’s website to a blocked category,” Mot. to Dismiss 7, the Department acknowledges that it 
directed Eortinet to block the entire Adult/Mature Content category on the Department’s networks, 
including the Advocacy Organizations subcategory. Second Hernandez Deck T19. The Department 
does not contest that it may not, consistent with the Eirst Amendment, block websites meeting 
Eortinet’s definition of Advocacy Organizations—“organizations that campaign or lobby for a 
cause by building public awareness, raising support, influencing public policy, etc.” Exh. A, p.l 
to Joshi Deck And the Department makes plain that it retains the right “as a customer” to direct 
Eortinet either to block or to allow access to that subcategory (or any subcategory). See Second 
Hernandez Deck T1 9; see also Exh. A, p.l to Joshi Deck Yet the Department has declined to take 
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the action—directing Fortinet not to block the Advocacy Organization subcategory—that would 
resolve the problem both now and in the long term. 

In these circumstances, the Department has not provided “enough clarity fully to assess the 
agency’s intentions” with regard to its future policy on blocking constitutionally protected 
websites, including Public Citizen’s website. People for the Ethical Treatment of Animals v. U.S. 
Dep’t of Agric., 918 F.3d 151,158 (D.C. Cir. 2019). Mr. Hernandez represents that the Department 
“will not take any action to block access to Public Citizen’s website through its internal and guest- 
WiFi networks.” First Hernandez Deck T16. But he does not describe any affirmative steps that the 
Department will take to address the causes that led to the violation. Without such a showing, the 
Department cannot “demonstrate that there is no reasonable expectation that the wrong will be 
repeated,” Payne Enterprises, Inc. v. United States, 837 F.2d 486, 492 (D.C. Cir. 1988) (internal 
quotation marks omitted), because “[m]ere assurances that the challenged conduct will not recur 
... have never been enough to sustain the ‘heavy’ burden borne by defendants in invoking the 
mootness doctrine,” Wills v. U.S. Parole Comm’n, 882 F. Supp. 2d 60, 71 (D.D.C. 2012). Mr. 
Hernandez, moreover, does not suggest he has authority to bind the Department, making the 
assurances given here particularly “weak.” See Payne Enterprises, Inc., 837 F.2d at 492 (giving 
little weight to affidavit from Air Force major that did “not pretend to speak for her superiors”). 

In describing the action taken in response to this lawsuit, Mr. Hernandez states that the 
Department’s “service providers configured the Fortinet service to override the web filtering that, 
by operation of the FortiGuard proprietary system, had assigned Public Citizen to a blocked 
category.” Second Hernandez Deck T1 14. But Mr. Hernandez identifies “two different ways to 
override the web filtering”—manually changing the website’s category and “administrative 
override or allow blocked override”—and fails to clarify which method the Department used. Id. 


5 



Case l:19-cv-00986-RDM Document 20 Filed 07/24/19 Page 6 of 9 


T113. The administrative-override or allow-bloeked-override method overrides the FortiGuard web 
filtering for only a limited period of time of no more than 1 year. Exh. B, p.4 to Joshi Deel. If the 
Department used this override method, nothing in Mr. Hernandez’s deelaration provides any basis 
for eoneluding that the Department has put in plaee proeesses and proeedures to guarantee that any 
administrative or allow-bloeked override is renewed before it expires. 

A deeper problem, however, shows that a live ease or eontroversy remains, regardless of 
the override method used for Publie Citizen’s website. Mr. Hernandez’s declaration suggests that 
the Department has no mechanism to ensure that its use of web-filtering contractors complies with 
the agency’s First Amendment obligation not to infringe on protected speech. The Department has 
not, for example, committed to unblocking the Advocacy Organization subcategory, even though 
the Department has no plausible constitutional basis for excluding “organizations that campaign 
or lobby for a cause by building public awareness, raising support, influencing public policy, etc.” 
from the agency’s networks. Exh. A, p.l to Joshi Deck Nor has the Department explained how it 
intends to avoid this constitutional problem as technologies or vendors change. The “total lack of 
any indication that the agency has taken steps” to prevent Public Citizen’s website from being 
caught up again in whatever web fdter service the Department uses. In re Ctr. For Auto Safety, 
793 F.2d 1346, 1353 n.43 (D.C. Cir. 1986), represents a significant risk that dismissal of this 
lawsuit would leave the Department “free to return to [its] old ways,” id. at 1352 (internal quotation 
marks omitted). 

That risk is “heighten[ed]” by the Department’s “refusal to admit the illegality of its past 
conduct.” Id. at 1353. If the Department, without acknowledging its error, could “moot a 
challenge” to its website-blocking actions simply by creating an override for the party bringing the 
lawsuit, it “could forever avoid judicial review” of the continuing unlawful action. Reeve Aleutian 
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Airways, Inc. v. United States, 889 F.2d 1139, 1142 (D.C. Cir. 1989) (internal quotation marks 
omitted). So long as the Department fails to aeknowledge the signifieant First Amendment 
implications of a government agency blocking the websites of “Advocacy Organizations” such as 
Public Citizen, “the likelihood of recurrence of challenged activity is more substantial.” Armster 
V. U.S. Dist. Court, 806 F.2d 1347, 1359 (9th Cir. 1986). 

Thus, m Knight First Amendment Institute at Columbia University v. Trump, Flo. 18-1691- 
CV, 2019 WL 2932440 (2d Cir. July 9, 2019), the Second Circuit held that the President’s 
“[vjoluntary discontinuance of an alleged illegal activity”—blocking critics on his Twitter feed— 
did not moot a declaratory-judgment action challenging the original blocking under the First 
Amendment. Id. at *4 n.3 (quoting Walling, 323 US. at 43). Likewise here, given the Department’s 
failure to acknowledge its First Amendment violation, as well as that the override may last one 
year or less, a declaratory judgment in plaintiffs’ favor is needed to “ensure” that the Department 
does not “continue to fail to meet” its constitutional responsibilities. Forest Guardians v. Johanns, 
450 F.3d 455, 462 (9th Cir. 2006); see Del Monte Fresh Produce Co. v. United States, 570 F.3d 
316, 321 (D.C. Cir. 2009) (stating that “even though the specific action that the plaintiff challenges 
has ceased, a claim for declaratory relief will not be moot even if the plaintiff ... merely attacks 
an isolated agency action, so long as the specific claim ... falls within the voluntary cessation 
doctrine”) (internal quotation marks, brackets, and punctuation omitted). 

A declaratory judgment is particularly critical here because the Department’s management 
of its internal and guest Wi-Fi networks will occur behind the scenes and outside of public view. 
For this reason, this case is unlike those on which the Department relies, where the courts could 
take comfort in government policymakers’ formal or, at least, public rejection of the policy that 
had led to underlying litigation. See Chichakli v. Trump, 714 Fed. Appx 1, 2 (D.C. Cir. 2017) 
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(holding case moot in light of the elimination of regulations and removal of plaintiff from sanetions 
list); National Black Police Ass’n v. Dist. of Col, 108 F.3d 346, 348 (D.C. Cir. 1997) (holding 
aetion moot in light of the “passage of ... new legislation”); Citizens for Responsibility & Ethics 
in Washington v. SEC, 858 F. Supp. 2d 51, 56, 62 (D.D.C. 2012) (holding aetion moot in light of 
a letter sent to Congress by a high-ranking agency official). Nor is this a case where reeurrenee of 
the ehallenged eonduet “requires [the eourt] to imagine a sequenee of eoineidenees too long to 
credits People for the Ethical Treatment of Animals v. Gittens, 396 F.3d416,424 (D.C. Cir. 2005). 
Although the Department implemented a (potentially temporary) override, the Department 
apparently has no plans to ensure that Publie Citizen is not bloeked again, for example by 
requesting that Fortinet allow aeeess to the Advoeaey Organization subeategory. “[A] ease 
‘beeomes moot only when it is impossible for a eourt to grant any effeetual relief whatever to the 
prevailing party. Chafin v. Chafin, 568 U.S. 165,172 (2013) (quoting Tfnox v. Service Employees 
Intern. Union, 567 U.S. 298, 307 (2012)). Here, however, absent a deelaratory judgment by this 
Court, plaintiffs remain at a heightened risk that the Department will again bloek aeeess to Publie 
Citizen’s website. 

CONCLUSION 

For the foregoing reasons, the Court should deny defendants’ motion to dismiss this ease 
as moot. 
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July 24, 2019 Respectfully submitted, 

/s/ Nandan M. Joshi _ 

Nandan M. Joshi (DC Bar No. 456750) 
Allison M. Zieve (DC Bar No. 424786) 
Scott L. Nelson (DC Bar No. 413548) 
Public Citizen Litigation Group 
1600 20th Street NW 
Washington, DC 20009 
(202) 588-1000 

Counsel for Plaintiffs 
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UNITED STATES DISTRICT COURT 
FOR THE DISTRICT OF COLUMBIA 


PUBLIC CITIZEN, etal. 

Plaintiffs, 

V. 

ELISABETH DEVOS, Secretary, U.S. 
Department of Education, et al. 

Defendants. 


Civil Action No. l;19-cv-986-RDM 


[PROPOSED] ORDER 

Upon consideration of Defendants’ motion to dismiss this case as moot, the opposition 
thereto, and the record in this case, it is hereby ordered that the motion is DENIED. 

SO ORDERED. 


Dated_, 2019 By_ 

RANDOLPH D. MOSS 
United States District Judge 



Case l:19-cv-00986-RDM Document 20-2 Filed 07/24/19 Page 1 of 32 


UNITED STATES DISTRICT COURT 
FOR THE DISTRICT OF COLUMBIA 


PUBLIC CITIZEN, etal. 

Plaintiffs, 

V. 

ELISABETH DEVOS, Secretary, U.S. 
Department of Education, et al. 

Defendants. 


Civil Action No. l;19-cv-986-RDM 


DECLARATION OF NANDAN M, JOSHI 


I, Nandan M. Joshi, declare as follows: 

1. I am an attorney at Public Citizen Litigation Group and represent plaintiffs in the 
above-captioned case. This declaration is being made in support of plaintiffs’ opposition to 
defendants’ motion to dismiss (ECE 19). 

2. On July 22, 2019, I visited the following web address: https://fortiguard.com 
/webfilter/categories. Attached as Exhibit A is a true and accurate copy of the contents of that web 
address as of that date, except to the extent any content was lost or altered during the process of 
printing that website to PDF format. 

3. On July 22, 2019, I visited the following web address: 

https://help.fortinet.eom/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/Web_Filter/ 
Overriding%20FortiGuard%20website%20categorization.htm. Attached as Exhibit B is a true and 
accurate copy of the contents of that web address as of that date, except to the extent any content 
was lost or altered during the process of printing that website to PDF format. 
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Executed on July 24, 2019. 

I declare under penalty of perjury that the foregoing is true and correct to the best of my 
knowledge and belief 


/s/ Nandan M. Joshi 
Nandan M. Joshi 
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EXHIBIT A 
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► Home(/)/ Web Filter (/webfiIter) / Categories 


At a glance: 


Submit a site for categorization (/faq/wfratingsubmit) 


Web Filter Categories 


FortiGuard URL Database Categories are based upon the Web content viewing suitability of three major groups of customers: enterprises, schools, and home/families. They also take 
into account customer requirements for Internet management. The categories are defined to be easily manageable and patterned to industry standards. 


Each category contains websites or web pages that have been assigned based on their dominant Web content. A website or webpage is categorized into a specific category that is likely 
to be blocked according to its content. When a website contains elements in different categories, web pages on the site are separately categorized. 


Descriptions of the categories are designed to assist the reader with category comprehension only; they are not meant to depict any form of symbolic representation of the individuals 
who own or surf these sites. 


Adult / Mature Content 

Category Description Tests 

Abortion Websites pertaining j Web niter (http://wfurltest.fortigu3rd.eom/wftest/7.html) I I Full SSL Inspection (https://fortiguard.eom/wftest/7.html) | j SSLCertlficate Inspection (https://wftest7.fortiguard.corrL/wftest/7.html) j 

to abortion data, 
information, legal 
issues, and 
organizations. 

Advocacy This category caters j Web niter (http://wfurltest.fortigu3rd.eom/wftest/9.html) I I Full SSL Inspection (https://fortiguard.eom/wftest/9.html) | j SSLCertlficate Inspection (https://wftest9.fortiguard.eom/wftest/9.html) j 

Organizations to organizations 
that campaign or 
lobby for a cause by 
building public 
awareness, raising 
support, influencing 
public policy, etc. 

Alcohol Websites which | Web Filter (http://wfurltest.fortiguard.com/wftest/64.html) | j Full SSL Inspection (https://fortiguard.com/wftest/64.html) | | SSLCertlficate Inspection (https://wftest64.fortiguard.com/wftest/64.html) 

legally promote or 
sell alcohol 
products and 
accessories. 


https://fortiguard.com/webfilter/categories 


1/20 























7 / 22/2019 


Case 1:19 

Category 

Alternative 

Beliefs 


Dating 


Gambling 


Lingerie and 
Swimsuit 
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Description Tests 

Websites that | Web Filter (http://wfurltest.fortigu3rd.eom/wftest/2.html) j j Full SSL Inspection (https://fortiguard.eom/wftest/2.html) | | SSL Certificate Inspection (https://wftest2.fortiguard.eom/wftest/2.html) | 

provide information 
about or promote 
religions not 
specified in 
Traditional 
Religions or other 
unconventional, 
cultic, orfolkloric 
beliefs and 
practices. Sites that 
promote or offer 
methods, means of 
instruction, or other 
resources to affect 
or influence real 
events through the 
use of spells, curses, 
magic powers, 

Satanic or 

supernatural beings. 

Websites that allow j Web Filter (http://wfurltest.fortigu3rd.com/wftest/i5.html) j [ FuII SSL inspection [https://fortiguard.com/wftest/15.html) j j SSL Certificate Inspection (https://wftestl5.fortiguarcl.com/wftesV15.html) 

individuals to make 
contact and 
communicate with 
each other over the 
Internet, usually 
with the objective of 
developing a 
personal, romantic, 
or sexual 
relationship. 

Sites that cater to j Web Filter (http://wfurltest.f0rtigu3rd.com/wftest/ll.html] j | FuII SSL inspection [https://fortiguard.com/wftest/ll.html) j j SSL Certificate Inspection (https://wftestll.fortiguarcl.com/wftesVll.html) 

gambling activities 
such as betting, 
lotteries, casinos, 
including gaming 
information, 
instruction, and 
statistics. 

Websites that j Web Filter (http://wfurltest.fortiguard.com/wftest/66.html) | j Full SSL Inspection (https://fortiguard.com/wftest/66.html) j j SSL Certificate Inspection (https://wftest66.fortiguard.com/wftest/66.html) 

utilizes images of 
semi-nude models 
in lingerie, 
undergarments and 
swimwear for the 
purpose of selling or 
promoting such 
items. 


https://fortiguard.com/webfilter/categories 
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Category 

Description 

Tests 

Marijuana 

Sites that provide 
information about 

j Web Filter (http://wfurltest.fortiguarcl.com/wftest/57.html) | | Full SSL Inspection (https://fortiguarcl.com/wftest/57.html) | 


or promote the 
cultivation, 
preparation, or use 
of marijuana. 

Nudity and Mature content j web Filter (http://wfuritest.fortigu3rd.com/wftest/13.htmi) j j fuiissl inspection [https://fortiguard.com/wftest/13.htmi) 

Risque websites (18+years 

and over) that 
depict the human 
body in full or 
partial nudity 
without the intent 
to sexually arouse. 

Other Adult Mature content | Web Filter (http://wfurltest.fortiguard.eom/wftest/8.html) j j Full SSL Inspection (https://fortiguard.eom/wftest/8.html) 

Materials websites (18+years 

and over) that 
feature or promote 
sexuality, strip 
clubs, sex shops, etc. 
excluding sex 
education, without 
the intent to 
sexually arouse. 

Pornography Mature content j Web Filter (http://wfurltest.fortigu3rd.com/wftest/i4.html] | j FuII ssl inspection [https://fortiguard.com/wftest/14.html) 

websites (18+ years 
and over) which 
present or display 
sexual acts with the 
intent to sexually 
arouse and excite. 

Sex Education Educational j Web niter (http://wfurltest.fortigu3rd.com/wftest/63.html] | j FuII ssl inspection [https://fortiguard.com/wftest/63.html) 

websites that 
provide information 
or discuss sex and 
sexuality, without 
utilizing 
pornographic 
materials. 

Web pages that j Web Filter (http://wfurltest.fortiguard.com/wftest/67.html) j j Full SSL Inspection (https://fortiguard.com/wftest/67.html) 

feature sport 
hunting, war games, 
paintball facilities, 
etc. Includes all 
related clubs, 
organizations and 
groups. 

Tobacco Websites which j Web Filter (http://wfurltest.fortigu3rd.com/wftest/65.html] j j FuII ssl inspection [https://fortiguard.com/wftest/65.html) 

legally promote or 
sell tobacco 
products and 
accessories. 


Sports 
Hunting and 
War Games 


I SSL Certificate Inspection (https://wftest57.fQrtiguard.CQm/wftest/57.html)' 


SSL Certificate Inspection (https://wftestl3.fortiguarcl.com/wftest/13.html) 


SSL Certificate Inspection (https://wftest8.fortiguarcl.eom/wftest/8.html) 


SSL Certificate Inspection (https://wftestl4.fortiguarcl.com/wftest/14.html) 


SSL Certificate Inspection (https://wftest63.fortiguarcl.com/wftest/63.html) 


SSL Certificate Inspection (https://wftest67.fortiguarcl.com/wftest/67.html) 


SSL Certificate Inspection (https://wftest65.fortiguarcl.com/wftest/65.html) 


https://fortiguard.com/webfilter/categories 
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Category Description Tests 

Weapons Websites that | Web Filter (http://wfurltest.fortigu3rd.com/wftest/16.html) j j Full SSL Inspection (https://fortiguard.com/wftest/16.html) j | SSL Certificate Inspection (https://wftestl6.fortiguard.com/wftest/16.html) 

(Sales) feature the legal 

promotion or sale of 
weapons such as 
hand guns, knives, 
rifles, explosives, 
etc. 


Bandwidth Consuming 

Category Description Tests 


File 

Sharing 

and 

Storage 


Websites that permit j Web niter (http://wfurltest.fortiguard.com/wftest/24.html) j j FuIISSL inspection (https://fortiguard.com/wftest/24.html) j j SSL Certificate Inspection (https://wftest24.fortiguard.com/wftest/24.html) 

users to utilize Internet 
servers to store personal 
files or for sharing, such 
as with photos. 


Freeware Sites whose primary j web niter (http://wfuritest.fortiguard.com/wftest/19.htmi) j j fuiissl inspection{https://fortiguard.com/wftest/19.htmi) 

and function is to provide 

Software freeware and software 
Downloads downloads. Cell phone 

ringtones/images/games, 
computer software 
updates for free 
downloads are all 
included in this category. 


SSL Certificate Inspection (https://wftestl9.fortiguard.com/wftest/19.html) 


Internet 
Radio and 
TV 


Websites that broadcast j Web niter (http://wfurltest.fortiguard.com/wftest/75.html) j j FuIISSL inspection {https://fortiguard.com/wftest/75.html) j j SSLcertificate Inspection {https://wftest75.fortiguard.com/wftest/75.html) 

radio or TV 
communications over 
the Internet. 


Internet Websites that enable j Web Filter {http://wfurltest.fortiguard.com/wftest/76.html) j j Full SSL Inspection {https://fortiguard.com/wftest/76.html) j j SSL Certificate Inspection {https://wftest76.fortiguard.com/wftest/76.html) 

Telephony telephone 

communications over 
the Internet. 


Peer-to- 
peer File 
Sharing 


Websites that allow j Web niter {http://wfurltest.fortiguard.com/wftest/72.html) j j FuIISSL inspection {https://fortiguard.com/wftest/72.html) j j SSL Certificate Inspection {https://wftest72.fortiguard.com/wftest/72.html) 

users to share files and 
data storage between 
each other. 


Streaming Websites that allow the j Web niter {http://wfurltest.fortiguard.com/wftest/25.html) j j FuIISSL inspection {https://fortiguard.com/wftest/25.html) j | SSLcertificate inspection {https://wftest25.fortiguard.com/wftest/25.html) 

Media and downloading of MP3 or 
Download other multimedia files. 


General Interest - Business 

Category Description Tests 

Armed Forces Websites related to | webniter {http://wfuritest.fortiguard.com/wftest/53.htmi) j | fuii ssl inspection (https://fortiguard.com/wftest/53.htmi) j | ssl certificate inspection{https://wftest53.fortiguard.com/wftest/53.htmi) 

organized military 
and armed forces, 
excluding civil and 
extreme military 
organizations. 


https://fortiguard.com/webfilter/categories 
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Category Description Tests 

Business Sites sponsored by j Web Filter {http://wfurltest.fortigijard.com/wftest/49.html) | j Full SSL Inspection (https://fortiguard.com/wftest/49.html) | j SSL Certificate Inspection (https://wftest49.fortiguard.com/wftesty49.html) 

or devoted to 
business firms, 
business 
associations, 
industry groups, or 
business in general. 

Information 
Technology 
companies are 
excluded in this 
category and fall in 
Information 
Technology. 

Sites for | Web niter {http://wfurltest.fortiguard.com/wftest/92.html) j j Full SSL Inspection (https://fortiguard.com/wftest/92.html) j | SSL Certificate Inspection (https://wftest92.fortiguard.com/wftest/92.html) 

organizations that 
are set up with a 
mission that serves 
a public purpose, 
and are 

philanthropic in 
nature. This 
category excludes 
advocacy or political 
organizations. 

Financial Data and | Web niter {http://wfurltest.fortiguard.com/wftest/31.html) j j Full SSL Inspection (https://fortiguard.com/wftest/31.html) j | SSL Certificate Inspection (https://wftest31.fortiguard.com/wftest/31.html) 

Services--Sites that 
offer news and 
quotations on 
stocks, bonds, and 
other investment 
vehicles, investment 
advice, but not 
online trading. 

Includes banks, 
credit unions, credit 
cards, and 
insurance. 

Mortgage/insurance 
brokers apply here 
as opposed to 
Brokerage and 
Trading. 


Charitable 

Organizations 


Finance and 
Banking 


https://fortiguard.com/webfilter/categories 
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Category Description Tests 


General Sites that cater to | Web Filter {http://wfurltest.fortigijard.com/wftest/43.html) j j Full SSL Inspection (https://fortiguard.com/wftest/43.html) j | SSL Certificate Inspection (https://wftest43.fortiguard.com/wftest/43.html) 

Organizations groups, clubs or 
organisations of 
individuals with 
similar interests, 
either professional, 
social, humanitarian 
or recreational in 
nature. Social and 
Affiliation 

Organizations: Sites 
sponsored by or 
that support or offer 
information about 
organizations 
devoted chiefly to 
socializing or 
common interests 
other than 
philanthropy or 
professional 
advancement.Not to 
be be confused with 
Advocacy Groups 
and Political 
Groups. 


Government Government: Sites | Web niter (http://wfurltest.fortiguard.com/wftest/51.html) j I Full SSL Inspection (https://fortiguard.com/wftest/51.html) j | SSL Certificate Inspection (https://wftest51.fortiguard.com/wftest/51.html) 

and Legal sponsored by 

Organizations branches, bureaus, 
or agencies of any 
level of government, 
except for the 
armed forces, 
including courts, 
police institutions, 
city-level 
government 
institutions. Legal 
Organizations: Sites 
that discuss or 
explain laws of 
various government 
entities. 







Information 

Information 

I Web Filter {http://wfurltest.fortiguard.com/wftest/52.html) j 

I Full SSL Inspection (https://fortiguard.com/wftest/52.html) | 

I SSL Certificate Inspection {https://wftest52.fortiguard.com/wftest/52.html) | 

Technology 

Technology 
peripherals and 
services, cell phone 
services, cable 
TV/Internet 
suppliers. 





https://fortiguard.com/webfilter/categories 
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Category Description Tests 


Information 

and 

Computer 

Security 


Sites that provide 
information about 
or free 

downloadable tools 
for computer 
security, but not 
ordinary Freeware 
and Software 
downloading. 


I Web Filter (http://wfurltest.fortiguard.com/wftest/50.html) j j Full SSL Inspection (https://fortiguard.com/wftest/5Q.html) j | SSL Certificate Inspection (https://wftest5Q.fortiguard.com/wftesty50.html) 


Online Sites that enable | WebFilter {http://wfurltest.fortigijard.com/wftest/95.html) j j FuII SSLinspection (https://fortiguard.com/wftest/95.html) j | SSLcertificate Inspection(https://wftest95.fortiguard.com/wftest/95.html) 

Meeting hosting of meetings, 

screen sharing and 
collaboration of 
documents across 
the Internet. 


Remote Sites that facilitate | Web niter {http://wfurltest.fortiguard.com/wftest/93.html) j j FuII SSL inspection (https://fortiguard.com/wftest/93.html) j | SSL certificate Inspection (https://wftest93.fortiguard.com/wftest/93.html) 

Access authorized access 

and use of 
computers or 
private networks 
remotely across the 
Internet. 


Search 
Engines and 
Portals 


Sites that support | Web niter (http://wfurltest.fortiguard.com/wftest/41.html) j j Full SSL Inspection (https://fortiguard.com/wftest/41.html) j | SSL Certificate Inspection (https://wftest41.fortiguard.com/wftest/41.html) 

searching the Web, 
news groups, or 
indices/directories. 

Sites of search 
engines that provide 
info exclusively for 
shopping or 
comparing prices, 
however,fall in 
Shopping and 
Auction. 


Secure Sites that institute | Web niter (http://wfurltest.fortiguard.com/wftest/ai.html) j j Full SSL Inspection (https://fortiguard.com/wftest/81.html) j | SSL Certificate Inspection {https://wftest81.fortiguard.com/wftest/81.html) 

Websites security measures 
such as 

authentication, 
passwords, 
registration, etc. 


Web Sites that are used | Web niter (http://wfurltest.fortiguard.com/wftest/94.html) j j FuII SSL inspection (https://fortiguard.com/wftest/94.html) j | SSL Certificate Inspection (https://wftest94.fortiguard.com/wftest/94.html) 

Analytics to collect and assess 
web traffic data. 

Web Hosting Sites of j Web niter (http://wfurltest.fortiguard.com/wftest/56.html) | j Full SSL Inspection (https://fortiguard.com/wftest/56.html) j j SSL Certificate Inspection (https://wftest56.fortiguard.com/wftest/56.html) 

organizations that 
provide hosting 
services, or top- 
level domain pages 
of Web 
communities. 


https://fortiguard.com/webfilter/categories 
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Category Description Tests 

Web-based Sites that mimic j Web Filter {http://wfurltest.fortigijard.com/wftest/a4.html) | | Full SSL Inspection (https://fortiguard.com/wftest/84.html) | j SSL Certificate Inspection (https://wftest84.fortiguard.com/wftesty84.html) 

Applications desktop 

applications such as 
word processing, 
spreadsheets, and 
slide-show 
presentations. 

General Interest - Personal 

Category Description Tests 

Advertising Sites that provide j Web niter (http://wfurltest.fortiguard.com/wftest/17.html) j | Full SSL Inspection (https://fortlguard.com/wftest/17.html) j j SSL Certificate Inspection (https://wftestl7.fortiguar(l.com/wftest/17.html) 

advertising 
graphics or other 
ad content files, 
including ad servers 
(domain name 
often with 'ad.', such 
as ad.yahoo.com). If 
a site is mainly for 
online transactions, 
it is rated as 
Shopping and 
Auctions. Includes 
pay-to-surf and 
affiliated 
advertising 
programs. 

Arts and Websites that cater j Web niter (http://wfurltest.fortigu3rd.com/wftest/29.html] j j FuII SSL inspection [https://fortiguard.com/wftest/29.html) j j SSLcertificate inspection (https://wftest29.fortiguarcl.com/wftest/29.html) 

Culture to fine arts, cultural 

behaviors and 
backgrounds 
including 
conventions, 
artwork and 
paintings, music, 
languages, customs, 
etc. Also includes 
institutions such as 
museums, libraries 
and historic sites. 

Sites that promote 
historical, cultural 
heritage of certain 
area, but not 
purposely 
promoting travel. 


https://fortiguard.com/webfilter/categories 
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Category Description Tests 

Auction Websites that | Web Filter (http://wfurltest.fortigu3rd.com/wftest/89.html) j j Full SSL Inspection (https://fortiguard.com/wftest/89.html) | | SSL Certificate Inspection (https://wftesta9.fortiguard.com/wftest/89.html) 

feature on-line 
promotion or sale 
of general goods 
and services such 
as electronics, 
flowers, jewelry, 
music, etc, 
excluding real 
estate. Also 
includes on-line 
auction services 
such as eBay, 

Amazon, Priceline. 

Brokerage and Sites that support | Web Filter (http://wfurltest.fortiguard.com/wftest/18.html) I j Full SSL Inspection (https://fortiguard.com/wftest/18.html) 

Trading active trading of 

securities and 
management of 
investments. Real 
estate broker does 
notapply here, and 
falls within 
Shopping and 
Auction. Sites that 
provide supplier 
and buyer info/ads 
do not apply here 
either since they do 
not provide trading 
activities. 

Websites j Web Filter (http://wfurltest.fortigu3rd.com/wftest/77.html] j j Full SSL Inspection [https://fortiguard.com/wftest/77.html) | | SSL Certificate Inspection (https://wftest77.fortiguarcl.com/wftest/77.html) 

developed for 
children age 12 and 
under. Includes 
educational games, 
tools, organizations 
and schools. Note 
that children's 
hospitals are rated 
as Health. 


Websites that host j Web niter (http://wfurltest.fortiguard.com/wftest/82.html) | j Full SSL Inspection (https://fortiguard.com/wftest/82.html) j j SSL Certificate Inspection (https://wftesta2.fortiguard.com/wftest/82.html) 

servers that 
distribute content 
for subscribing 
websites. Includes 
image and Web 
servers. 

Digital Sites for j Web Filter (http://wfurltest.fortiguard.com/wftest/71.html) | j Full SSL Inspection (https://fortiguard.com/wftest/71.html) | j SSL Certificate Inspection (https://wftest71.fortiguard.com/wftest/71.html) 

Postcards sending/viewing 
digital post cards. 


Child 

Education 


Content 

Servers 


SSL Certificate Inspection (https://wftestl8.fortiguard.com/wftest/18.html) 


https://fortiguard.com/webfilter/categories 
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Category 
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Parking 
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Description Tests 

Sites that simply | Web Filter (http://wfurltest.fortigu3rd.com/wftest/85.html) j j Full SSL Inspection (https://fortiguard.com/wftest/85.html) j | SSL Certificate Inspection (https://wftesta5.fortiguard.com/wftest/85.html) 

are place holders of 
domains without 
meaningful 
content. 

URLs that are j Web Filter (http://wfurltest.fortiguard.com/wftest/54.html) j [ Full SSL Inspection (https://fortiguard.com/wftest/54.html) j j SSL Certificate Inspection (https://wftest54.fortiguard.com/wftest/54.html) 

generated 
dynamically by a 
Web server. 

Educational j Web Filter (http://wfurltest.fortiguard.com/wftest/30.html) j j Full SSL Inspection (https://fortiguard.com/wftest/30.html) j j SSL Certificate Inspection (https://wftest30.fortiguard.com/wftest/30.html) 

Institutions: Sites 
sponsored by 
schools, other 
educational 
facilities and non- 
academic research 
institutions, and 
sites that relate to 
educational events 
and activities. 

Educational 
Materials: Sites 
that provide 
information about, 
sell, or provide 
curriculum 
materials. Sites that 
direct instruction, 
as well as academic 
journals and similar 
publications where 
scholars and 
professors submit 
academic/research 
articles. 


https://fortiguard.com/webfilter/categories 
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Category Description Tests 

Entertainment Sites that provide | Web Filter (http://wfurltest.fortigu3rd.com/wftest/28.html) j I Full SSL Inspection (https://fortiguard.com/wftest/28.html) j | SSL Certificate Inspection (https://wftest28.fortiguard.com/wftest/28.html) 

information about 
or promote motion 
pictures, non-news 
radio and 
television, music 
and programming 
guides, books, 
humor, comics, 
movie theatres, 
galleries, artists or 
review on 
entertainment, and 
magazines. Includes 
book sites that 
have personal 
flavor or extra- 
material by authors 
to promote the 
books. 

Folklore UFOs, fortune j Web Filter (http://wfurltest.fortigu3rd.com/wftest/58.html) j [ Full SSL Inspection (https://fortiguard.com/wftest/58.html) j j SSL Certificate Inspection (https://wftest58.fortiguard.com/wftest/58.html) 

telling, horoscopes, 
fen shui, palm 
reading, tarot 
reading, and ghost 
stories. 

Games Sites that provide j Web Filter (http://wfurltest.fortiguard.com/wftest/20.html) j j Full SSL Inspection (https://fortiguard.com/wftest/20.html) j j SSL Certificate Inspection (https://wftest20.fortiguard.com/wftest/20.html) 

information about 
or promote 
electronic games, 
video games, 
computer games, 
role-playing games, 
or online games. 

Includes 

sweepstakes and 
giveaways. Sport 
games are not 
included in this 
category, but time 
consuming 
mathematic game 
sites that serve 
little education 
purpose are 
included in this 
category. 


https://fortiguard.com/webfilter/categories 
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Category Description Tests 

Global Sites that provide | Web Filter (http://wfurltest.fortigu3rd.com/wftest/40.html) j j Full SSL Inspection (https://fortiguard.com/wftest/40.html) j | SSL Certificate Inspection (https://wftest40.fortiguard.com/wftest/40.html) 

Religion information about 

or promote 
Buddhism, Bahai, 

Christianity, 

Christian Science, 

Hinduism, Islam, 

Judaism, 

Mormonism, 

Shinto, and Sikhism, 
as well as atheism. 

Health and Sites that provide j Web Filter (http://wfurltest.fortigijard.com/wftest/33.html) j j FuII SSL inspection (https://fortiguard.com/wftest/33.html) | j SSLcertificate Inspection (https://wftest33.fortiguard.com/wftest/33.html) 

Wellness information or 

advice on personal 
health or medical 
services, 
procedures, or 
devices, but not 
drugs. Includes self- 
help groups. This 
category includes 
cosmetic surgery 
providers, 
children's hospitals, 
but not sites of 
medical care for 
pets, which fall in 
Society and 
Lifestyle. 







Instant 

Sites that allow 

1 Web Filter (http://wfurltest.fortiguard.com/wftest/69.html) | 

j Full SSL Inspection (https://fortiguard.com/wftest/69.html) | 

1 SSL Certificate Inspection (https://wftest69.fortiguard.com/wftest/69.html) | 

Messaging 

users to 

communicate in 

real-time over the 

Internet. 





Job Search Sites that offer | Web Filter (http://wfurltest.fortiguard.com/wftest/34.html) | j FuIISSL inspection (https://fortiguard.com/wftest/34.html) | | SSLcertificate Inspection (https://wftest34.fortiguard.com/wftest/34.html) 

information about 
or support the 
seeking of 
employment or 
employees. 

Includes career 
agents and 
consulting services 
that provide job 
postings. 

Meaningless This category | Web Filter (http://wfurltest.fortiguard.com/wftest/55.html) | j FuII SSL inspection (https://fortiguard.com/wftest/55.html) j | SSLcertificate Inspection (https://wftest55.fortiguard.com/wftest/55.html) 

Content houses URLs that 

cannot be 
definitively 
categorized due to 
lack of or 

ambiguous content. 


https://fortiguard.com/webfilter/categories 
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Category Description Tests 

Medicine Prescribed | Web Filter (http://wfurltest.fortiguard.com/wftest/35.html) j j FuII SSL inspection (https://fortiguard.com/wftest/35.html) j | SSLcertificate Inspection (https://wftest35.fortiguard.com/wftest/35.html) 

Medications: Sites 
that provide 
information about 
approved drugs and 
their medical use. 

Supplements and 
Unregulated 
Compounds: Sites 
that provide 
information about 
or promote the sale 
or use of chemicals 
not regulated by 
the FDA (such as 
naturally occurring 
compounds). This 
category includes 
sites of online 
shopping for 
medicine, as it is a 
sensitive category 
separated from 
regular shopping. 

Sites that offer | Web Filter (http://wfurltest.fortiguard.com/wftest/36.html) j j Full SSL Inspection (https://fortiguard.com/wftest/36.html) j | SSL Certificate Inspection (https://wftest36.fortiguard.com/wftest/36.html) 

current news and 
opinion, including 
those sponsored by 
newspapers, 
general-circulation 
magazines, or other 
media. This 
category includes 
TV and Radio sites, 
as long as they are 
not exclusively for 
entertainment 
purpose, but 
excludes academic 
journals. 

Alternative 
Journals: Online 
equivalents to 
supermarket 
tabloids and other 
fringe publications. 

Newsgroups Sites for online | Web Filter (http://wfurltest.fortiguard.com/wftest/70.html) j j FuII SSL inspection (https://fortiguard.com/wftest/70.html) j | SSL Certificate Inspection (https://wftest70.fortiguar(l.com/wftest/70.html) 

and Message personal and 

Boards business clubs, 

discussion groups, 
message boards, 
and list servers; 
includes 'blogs' and 
'mail magazines.' 


News and 
Media 


https://fortiguard.com/webfilter/categories 
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Category Description Tests 


Personal Sites providing j Web Filter (http://wfurltest.fortigu3rd.com/wftest/87.html) j | Full SSL Inspection (https://fortiguard.com/wftest/87.html) j j SSLCertificate Inspection (https://wftesta7.fortiguard.com/wftest/87.html) 

Privacy online banking, 

trading, health care, 
and others that 
contain personal 
privacy 
information. 


Personal Websites that j Web Filter (http://wfurltest.fortiguard.com/wftest/48.html) j | Full SSL Inspection (https://fortiguard.com/wftest/48.html) j j SSLCertificate Inspection (https://wftest48.fortiguard.com/wftest/48.html) 

Vehicles contain information 

on private use or 
sale of autos, boats, 
planes, 

motorcycles, etc., 
including parts and 
accessories. 


Personal 
Websites and 
Blogs 


Private web pages 
that host personal 
information, 
opinions and ideas 
of the owners. 


Web Filter (http://wfurltest.fortiguard.com/wftest/80.html) 


Full SSL Inspection (https://fortiguard.com/wftest/80.html) 


SSLCertificate Inspection (https://wftest80.fortiguard.com/wftest/80.html) 


Political Sites that are j Web Filter (http://wfurltest.fortiguard.com/wftest/38.html) | j Full SSL Inspection (https://fortiguard.com/wftest/38.html) | | SSLCertificate Inspection (https://wftest38.fortiguard.com/wftest/38.html) 

Organizations sponsored by or 
provide 

information about 
political parties and 
interest groups 
focused on 
elections or 
legislation. This is 
not to be confused 
with Government 
and Legal 

Organizations, and 
Advocacy Groups. 


Real Estate Websitesthat j Web Filter (http://wfurltest.fortiguard.com/wftest/78.html) | j Full SSL Inspection [https://fortiguard.com/wftest/78.html) | j SSLCertificate Inspection (https://wftest78.fortiguard.com/wftest/78.html) 

promote the sale or 
renting of real 
estate properties. 


Reference Websites that j Web Filter (http://wfurltest.fortigu3rd.com/wftest/39.html) | j FuIISSL inspection [https://fortiguard.com/wftest/39.html) j j SSLcertificate inspection (https://wftest39.fortiguard.com/wftest/39.html) 

provide general 
reference data in 
the form of 
libraries, 
dictionaries, 
thesauri, 
encyclopedias, 
maps, directories, 
standards, etc. 


14/20 
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Category 

Restaurant 
and Dining 


Shopping 


Social 

Networking 


Description 

Websites related to 
restaurants and 
dining, includes 
locations, food 
reviews, recipes, 
catering services, 
etc. 

Websites that 
feature on-line 
promotion or sale 
of general goods 
and services such 
as electronics, 
flowers, jewelry, 
music, etc, 
excluding real 
estate. Also 
includes on-line 
auction services 
such as eBay, 
Amazon, Priceline. 

Asocial networking 
site is a platform to 
build social 
networks or social 
relations among 
people who share 
similar interests, 
activities, 
backgrounds or 
real-life 
connections. A 
social network 
service consists of a 
representation of 
each user (often a 
profile), his or her 
social links, and a 
variety of 
additional services. 
Social network 
sites are web-based 
services that allow 
individuals to 
create a public 
profile, create a list 
of users with whom 
to share 

connections, and 
view and cross the 
connections within 
the system. 


Tests 


Web Filter (http://wfurltest.fortiguard.com/wftest/79.html) 


Full SSL Inspection (https://fortiguard.com/wftest/79.html) 


SSL Certificate Inspection (https://wftest79.fortiguard.com/wftest/79.html) 


Web Filter (http://wfurltest.fortiguard.com/wftest/42.html) 


Full SSL Inspection (https://fortiguard.com/wftest/42.html) 


SSL Certificate Inspection (https://wftest42.fortiguard.com/wftest/42.html) 


Web Filter (http://wfurltest.fortiguard.com/wftest/37.html) 


Full SSL Inspection (https://fortiguard.com/wftest/37.html) 


SSL Certificate Inspection (https://wftest37.fortiguard.com/wftest/37.html) 


https://fortiguard.com/webfilter/categories 
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Category Description Tests 


This category j Web Filter (http://wfurltest.fortigu3rd.com/wftest/44.html) j | Full SSL Inspection (https://fortiguard.com/wftest/44.html) j j SSLCertificate Inspection (https://wftest44.fortiguard.com/wftest/44.html) 

contains sites that 
deal with everyday 
life issues and 
preferences such as 
passive hobbies 
(gardening, stamp 
collecting, pets), 
journals, blogs, etc. 

Sports Includes sites that j Web Filter (http://wfurltest.fortiguard.com/wftest/46.html) j j Full SSL Inspection (https://fortiguard.com/wftest/46.html) j j SSLCertificate Inspection (https://wftest46.fortiguard.com/wftest/46.html) 

pertain to 
recreational sports 
and active hobbies 
such as fishing, 
hunting, jogging, 
canoeing, archery, 
chess, as well as 
organized, 
professional and 
competitive sports. 

Travel v\/ebsites in this | Web niter (http://wfurltest.fortiguard.com/wftest/47.html) j | Full SSL Inspection (https://fortiguard.com/wftest/47.html) j | SSLCertificate Inspection (https://wftest47.fortiguard.com/wftest/47.html) 

category feature 
travel related 
resources such as 
accommodations, 
transportation (rail, 
airlines, cruise 
ships), agencies, 
resort locations, 
tourist attractions, 
advisories, etc. 


Society and 
Lifestyles 


Web Chat Sites that host Web j Web Filter (http://wfurltest.fortiguard.com/wftest/68.html) j j Full SSL Inspection (https://fortiguard.com/wftest/68.html) | j SSLCertificate Inspection (https://wftest68.fortiguard.com/wftest/68.html) 

chat services, or 
that support or 
provide 

information about 
chat via HTTP or 
IRC. 

Web-based Sites that allow j Web Filter (http://wfurltest.fortiguard.com/wftest/23.html) j j FuII SSL inspection (https://fortiguard.com/wftest/23.html) | j SSLcertificate Inspection (https://wftest23.fortiguard.com/wftest/23.html) 

Email users to utilize 

electronic mail 
services. 


Potentially Liable 

Category Description Tests 
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Category Description Tests 

Child Abuse Websites that have j Web Filter (http://wfurltest.fortiguard.com/wftest/83.html) | | Full SSL Inspection (https://fortiguard.com/wftest/83.html) | 

been verified by the 
Internet Watch 
Foundation to contain 
or distribute images of 
non-adult children that 
are depicted in a state 
of abuse. Information 
on the Internet Watch 
Foundation is available 
at 

http://www.iwf.org.uk/. 

Discrimination Sites that promote the j webFilter {http://wfuritest.fortiguard.e0m/wftest/5.htmi) j j fuii ssl inspection (https://fortiguard.eom/wftest/5.htmi] j 

identification of racial 
groups, the 
denigration or 
subjection of groups, 
or the superiority of 
any group. 

Websites that feature j Web niter {http://wfurltest.fortiguard.eom/wftest/l.html) j j Full SSL Inspection (httpsV/fortiguard.com/wftest/l.html) j 

information on illegal 
drug activities 
including: drug 
promotion, 
preparation, 
cultivation, trafficking, 
distribution, 
solicitation, etc. 

This category includes | Web Filter (http://wfurltest.fortiguard.eom/wftest/6.html) | | Full SSL Inspection (https://fortiguard.eom/wftest/6.htnnl) | 

sites that depict 
offensive material on 
brutality, death, 
cruelty, acts of abuse, 
mutilation, etc. 

Sites that feature j Web niter (http://wfurltest.f0rtiguard.com/wftest/i2.html) | | FuII ssl inspection (https://fortigtjard.com/wftestyi2.html) j 

radical militia groups 
or movements with 
aggressive anti¬ 
government 
convictions or beliefs. 

Hacking Websites that depict j Web niter {http://wfurltest.fortiguard.e0m/wftest/3.html) j j FuII ssl inspection (h1rtps://fortiguard.com/wftest/3.html] j 

illicit activities 
surrounding the 
unauthorized 
modification or access 
to programs, 
computers, equipment 
and websites. 


Drug Abuse 


Explicit 

Violence 


Extremist 

Groups 


SSL Certificate Inspection (https://wftest83.fortiguard.com/wftest/83.html) 


SSL Certificate Inspection (https://wftest5.fortiguard.eom/wftest/5.html) 


SSLCertificate Inspection (https://wftestl.fortiguard.eom/wftest/l.html) 


SSL Certificate Inspection (https://wftest6.fortiguard.eom/wftest/6.html) 


SSL Certificate Inspection (https://wftestl2.fortiguard.com/wftest/12.html) 


SSL Certificate Inspection (https://wftest3.fortiguard.eom/wftest/3.html) 
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Category Description Tests 

Illegal or Websites that feature j Web Filter (http://wfurltest.fortiguard.eom/wftest/4.html) | | Full SSL Inspection (https://fortiguard.com/wftesty4.html) j j SSL Certificate Inspection {https7/wftest4.fortiguard.com/wftest/4.html) j 

Unethical information, methods, 

or instructions on 
fraudulent actions or 
unlawful conduct (non¬ 
violent) such as scams, 
counterfeiting, tax 
evasion, petty theft, 
blackmail, etc. 

Plagiarism Websites that provide, j Web Filter (http://wfurltest.fortiguard.com/wftest/62.html) j I Full SSL Inspection (https://fortiguard.com/wftesty62.html) j j SSL Certificate Inspection {https7/wftest62.fortigiiard.com/wftest/62.html) 

distribute or sell 
school essays, projects, 
or diplomas. 

Proxy Websites that provide j Web Filter {http://wfurltest.fortiguard.com/wftest/59.html) j j FuII SSL inspection (https://fortiguard.com/wftest/59.html) j j SSL Certificate Inspection {https://wftest59.fortiguard.com/wftest/59.html) 

Avoidance information or tools on 

how to bypass I nternet 
access controls and 
browse the Web 
anonymously, includes 
anonymous proxy 
servers. 


Security Risk 

Category Description Tests 

Dynamic Sites that utilize j Web niter (http://wfurltest.fortiguard.com/wftest/88.html) j | Full SSL Inspection (https://fortiguard.com/wftest/88.html) j j SSL Certificate Inspection (https://wftesta8.fortiguard.com/wftest/88.html) 

DNS dynamic DNS services 

to map a Fully 
Qualified Domain 
Name (FQDN) to a 
specific IP address or 
set of addresses under 
the control of the site 
owner; these are often 
used in cyber attacks 
and botnet command & 
control servers. 

Malicious Sites that host | Web niter (http://wfurltest.fortiguard.com/wftest/26.html) j j FuII SSL inspection (https://fortiguard.com/wftest/26.html) j | SSL Certificate Inspection (https://wftest26.fortiguard.com/wftest/26.html) 

Websites software that is 

covertly downloaded 
to a user’s machine to 
collect information and 
monitor user activity, 
and sites that are 
infected with 
destructive or 
malicious software, 
specifically designed to 
damage, disrupt, attack 
or manipulate 
computer systems 
without the user's 
consent, such as virus 
or trojan horse. 
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Category Description Tests 

Newly Domains that are 

Observed newly configured or 

Domain newly active, but not 

necessarily newly 
registered. 

Newly Domains that were j Web Filter (http://wfurltest.fortiguard.com/wftest/91.html) j j Full SSL Inspection (https://fortiguard.com/wftest/91.html) j j SSL Certificate Inspection (https://wftest91.fortiguard.com/wftest/91.html) 

Registered very recently 

Domain registered. 

Phishing Counterfeit web pages | Web Filter (http://wfurltest.fortiguard.com/wftest/61.html) | j Full SSL Inspection (https://fortiguarcl.com/wftest/61.html) | | SSL Certificate Inspection (https://wftest61.fortiguard.com/wftest/61.html) 

that duplicate 
legitimate business 
web pages for the 
purpose of eliciting 
financial, personal or 
other private 
information from the 
users. 

Spam Websites or webpages j Web Filter (http://wfurltest.fortigu3rd.com/wftest/86.html] j j FuII SSL inspection [https://fortiguard.com/wftest/86.html) j j SSL Certificate Inspection (https://wftest86.fortiguarcl.com/wftest/86.html) 

URLs whose URLs are found 

in spam emails. These 
webpages often 
advertise sex sites, 
fraudulent wares, and 
other potentially 
offensive materials. 


Unrated 

Category Description Tests 

Not Rated Sites not yet analyzed/categorized are considered unrated. 


8 (https://www.facebook.com/FortiGuard.Labs) 
(https://plus.google.com/+fortinet) 

^0 (https://twitter.com/FortiGuardLabs) 

^ (https ://www.iinkedin.com/showcase/3668640/) 


(/rss-feeds) 


Contact Us (/contactus) 

Legai (https://www.fortinet.com/corporate/about-us/legai.htmi) 
Privacy (https://www.fortinet.com/corporate/about-us/privacy.html) 
FAQ (/faq) 

Partners (/partners) 

Feedback (/faq/generaicontact) 
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Search ^ 

Home > Online Help 

> Chapter 26 - Security Profiles > Web filter > Overriding FortiGuard website categorization 


Overriding FortiGuard website categorization 

In most things there is an exception to the rule. When it comes to the rules about who is allowed to go to 
which websites in spite of the rules or in this case, policies, it seems that there are more exceptions than to 
most rules. There are numerous valid reasons and scenarios for exceptions so it follows that there needs to 
be a way to accommodate this exception. 


The different methods of override 

There are actually two different ways to override web filtering behavior based on FortiGuard categorization of 
a websites. The second method has two variations in implementation and each of the three has a different 
level of granularity. 

1. Using Alternate Categories 

Web Rating Overrides 

This method manually assigns a specific website to a different Fortinet category or a locally 
created category. 

2. Using Alternate Profiles 

Administrative Override or Aiiow Biocked Override 

In this method all of the traffic going through the FortiGate unit, using identity based policies and a 
Web Filtering profile has the option where configured users or IP addresses can use an alternative 
Web Filter profile when attempting to access blocked websites. 


Using Alternate Categories 


Web Rating Overrides 

There are two approaches to overriding the FortiGuard Web Filtering. The first is an identity-based method 
that can be configured using a combination of identity-based policies and specifically designed webfilter 
profiles. This is addressed in the Firewall Handbook. 

The second method is the system-wide approach that locally (on the FortiGate Firewall) reassigns a URL to a 
different FortiGuard Category or even subcategory. This is where you can assign a specific URL to the 
FortiGuard Category that you want to you can also set the URL to one of the Custom Categories that you 
have created 

The Web Rating Overrides option is available because different people will have different criteria for how they 
categorize websites. Even if the criteria is the same an organization may have reason to block the bulk of a 
category but need to be able to access specific URLs that are assigned to that category. 

A hypothetical example could be that a website, example.com is categorized as being in the Sub-Category 
Pornography. The law offices of Barrister, Solicitor, and Lawyer do not want their employees looking at 
pornography at work so they have used the FortiGuard Webfilter to block access to sites that have been 
assigned to the Category “Pornography”. However, the owners of example.com are clients of the law office 
and they are aware that example.com is for artists that specialize in nudes and erotic images. In this case two 
approaches can be taken. The first is that the Web Rating Override function can be used to assign 
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example.com to Nudity and Risque instead of Pornography for the purposes of matching the criteria that the 
iaw office goes by or the site can be assigned to a Custom Category that is not blocked because the site 
belongs to one of their clients and they aiways want to be abie to access the site. 

Another hypothetical example from the other side of the coin. A private school has decided that a company 
that specializes in the online seiling of books that couid be considered inappropriate for children because of 
their vioient subject matter, should not be accessible to anyone in the school. The categorization by Fortinet 
of the site example2.com is Generai Interest - Business with the subcategory of Shopping and Auction, which 
is a category that is allowed at the school. In this case they school could reassign the site to the Category 
Aduit Material which is a blocked category. 


Local or Custom Categories 


User-defined categories can be created to allow users to block groups of URLs on a per-profile basis. The 
categories defined here appear in the giobal URL category list when configuring a web fiiter profile. Users can 
rate URLs based on the local categories. 

Users can create user-defined categories then specify the URLs that belong to the category. This ailows 
users to block groups of web sites on a per profiie basis. The ratings are included in the global URL list with 
associated categories and compared in the same way the URL block list is processed. 



Locai categories and iocai rating features consume a iarge amount of CPU 
resources; use these features as iittie as possibie. 


The local assignment of a category overrides the FortiGuard server ratings and appear in reports as “Local” 
Categories or “Custom” Categories depending on the context. 

CLI commands 

in the CLI, the term is Local Categories. 

To create a Local Category: 

config webfilter ftgd-local-cat 
edit local_category_l 
set id 140 

end 

To set a rating to a Locai Category: 

config webfilter ftgd-local-rating 
edit <url_str> 

set rating {[<category_int>] [group_str] . . .] 

set status {enable | disable} 

end 


GUI commands 

in the GUI you will see Local Categories on the Edit Web Filter profile page and Custom Categories on the 
Web Rating Overrides page. Both these pages will be used to create local categories and to apply actions to 
them. 

Creating a Local or Custom Category 

1. Go to Security Profiles > Web Rating Overrides. 
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2. Select Custom Categories in the top menu bar. 

3. In the new window, click on Create New. 

4. A new row will appear at the bottom of the list of categories with a field on the left highlighted and the 
message This fieid is required. Enter the name of the custom category in this field. 

5. Select Enter. 

Configuring Web Rating Overrides 

1. Go to Security Profiies > Web Rating Overrides. 

2. Select Create New 

3. Type in the URL field the URL of the Website that you wish to recategorize. Do not use wildcard 
expressions when typing in the URL. 

4. Select the Lookup Rating button to verify the current categorization that is being assigned to the URL. 

5. Change the Category field to one of the more applicable options from the drop down menu, for example, 
one of the custom categories just created. 

6. Change the Sub-Category field to a more narrowly defined option within the main category. 

7. Select OK. 

It is usually recommended that you choose a category that you know will be 
addressed in existing Web Filter profiles so that you will not need to engage in 
further configuration. 


\l/ 

9 


Applying an Action to a Local or Custom Category 

1. Go to Security Profiles > Web Filter. 

2. Expand the Local Categories icon in the top menu bar. 

3. Right-click on a category from the list and set the action to Allow, Block, Monitor, Warning, 
Authenticate, or Disable. 

4. Select Apply. 

Local Category scenarios 


Scenario 1: The configuration of the domain name overrides the configuration for the 
subdirectory. 

Depending on the URL specified or other aspects of configuration, the configuration of a local 
or custom category may not take effect. Consider a scenario where you have defined: 

• example.com - local rating as “category 1”, action set to Block 

• example.com/subdirectory - local rating as “category 2”, action set to Monitor 

• example.com/subdirectory/page.html - local rating as “category 3”, action set to Warning. 

If a user browses to “example.com", access will be blocked. If a user browses to example.com/subdirectory, 
access will also be blocked,even though that address was configured to be part of category2. The 
configuration of the domain name overrides the configuration for the subdirectory. 

However, if you configure a specific HTML page differently than the domain name, then that configuration will 
apply. In this scenario, the user will see a Warning message but will be able to pass through to the page. 
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Scenario 2: User-defined locai ratings and SNI matches 

In this scenario, local categories are defined and sites are added to those categories. 

• There is no behavioral difference if the hostname is sent from from ClientHello SNI or from HTTP 
request-url. 

• The SNI will be used as hostname for https certificate-inspection or ssl-exempt. 

• If a valid SNI exist, then SNI will be used as the domain name for uri rating instead of CN inthe server 
certificate. 

• For the iocal rating, "example.com" will match "test.example.com", but will not match 
"another_example.com". 


Using Alternate Profiles 


Allow Blocked Overrides or Web Overrides 

The Administrative Override feature for Web Filtering was added and is found by going to Security Profiles 
> Web Filter and then enabling Allow Blocked Override. This opening window will display a listing of all of the 
overrides of this type. The editing window referred to the configuration as an Administrative Override. 

The Concept 

When a Web filter profile is overridden, it does not necessarily remove all control and restrictions that were 
previously imposed by the Web Filter. The idea is to replace a restrictive filter with a different one. In practice, 
it makes sense that this will likely be a profile that is less restrictive the original one but there is nothing that 
forces this. The degree to which the aiternate profile is less restrictive is open, it can be as much as letting the 
user access everything on the Internet or as little as allowing only one addition website. The usual practice is 
to have as few alternate profiles as are needed to allow approved people to access what they need during 
periods when an exception to the normal rules is needed but stiil having enough control that the organizations 
web usage policies are not compromised. 

You are not restricted to having only one alternative profile as an option to the existing profile. The new profile 
depends on the credentials or IP address making the connection. For example, John connecting through the 
"Standard" profile could get the "Allow_Streaming_Video" profile while George would get the 
"Allow_Social_Networking_Sites" profile. 

The other thing to take into account is the time factor on these overrides. They are not indefinite. The longest 
that an override can be enabled is for 1 year less a minute. Often these overrides are set up for short periods 
of time for specific reasons such as a project. Having the time limitation means that the System Administrator 
does not have to remember to go back and turn the feature off after the project is finished. 

Identity or Address 

In either case, these override features - for specified users, user groups or IP addresses - allow sites 
blocked by Web Filtering profiles to be overridden for a specified length of time. The drawback of this method 
of override is that it takes more planning and preparation than the rating override method. The advantage is 
that once this has been set up, this method requires very little in the way of administrative overhead to 
maintain. 

When planning to use the aiternative profile approach keep in mind the following: In Boolean terms, one of 
the following "AND" conditions has to be met before overriding the Web Filter is possible. 


Based on the IP address: 
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• The Web Filter profile must be specified as allowing overrides 

• AND the user's computer is one of the IP addresses specified 

• AND the time is within the expiration time frame. 

While the conditions are fewer for this situation, there is less control over who has the ability to bypass the 
filtering configured for the site. All someone has to do is get on a computer that is allowed to override the Web 
Filter and they have access. 


Based on user group: 

• The Web Filter profile must be specified as allowing overrides 

• AND the policy the traffic is going through must be identity based 

• AND the user's credentials matches the identity credentials specified 

• AND the time is within the expiration time frame. 

This method is the one most likely to be used as it gives more control in that the user has to have the correct 
credential and is more versatile because the user can use the feature from any computer that uses the 
correct policy to get out on the Internet. 

Settings 

When using an alternate profile approach to Web Filter overrides, the following settings are used to determine 
authentication and outcome. Not every setting is used in both methods but enough of them are common to 
describe them collectively. 


Apply to Groupfs) 

This is found in the Allow Blocked Overrides configuration. Individual users can not be selected. You can 
select one or more of the User Groups that are recognized my the FortiGate unit, whether they are local to the 
system or from a third part authentication device such as a AD server through FSSO. 


Original Profile 

This is found in the Administrative Override configuration. In the Allow Blocked Overrides setting the 
configuration is right inside the profile so there is no need to specify which profile is the original one, but the 
Administrative Override setup is done separately from the profiles themselves. 


Assign to Profile or New Profile 

Despite the difference in the name of the field, this is the same thing in both variations of the feature. You 
select from the drop down menu the alternate Web Filter Profile that you wish to set up for this override. 


Scope or Scope Range 

When setting up the override in the "Allow Blocked Overrides" variation, you are given a drop-down menu 
next to the field name Scope while in the Administrative Override configuration you are asked to select a radio 
button next to the same options. In both cases this is just a way of selecting which form of credentials will be 
required to approve the overriding of the existing Web Filter profile. 

When the Web Filter Block Override message page appears it will display a field named "Scope:" and 
depending on the selection, it will show the type of credentials used to determine whether or not the override 
is allowed. The available options are: 
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• User 

This means that the authentication for permission to override will be based on whether or not the user is 
using a specific user account. 

• User Group 

This means that the authentication for permission to override will be based on whether on not the user 
account supplied as a credential is a member of the specified User Group. 

. IP 

This means that the authentication for permission to override will be based on the IP address of the 
computer that was used to authenticate. This would be used with computers that have muitipie users. 
Exampie: if Paul logs on to the computer, engages the override using his credentiais and then logs off, if 
the scope was based on the iP address of the computer, anybody iogging in with any account on that 
computer wouid now be using the aiternate override Web Fiiter profile. 

When entering an IP address in the Administrative Override version, only individual IP addresses are 
allowed. 

Differences between IP and Identity based scope 

• Using the iP scope does not require the use of an Identity based policy. 

• When using the Administrative Override variation and iP scope, you may not see a warning 
message when you change from using the originai Web Fiiter profiie to using the aiternate profiie. 
There is no requirement for credentials from the user so, if allowed, the page will just come up in 
the browser. 

• Ask 

This option is availabie only in the "Aiiowed Biocked Overrides" variation and when used configures the 
message page to ask which scope the user wished to use. Normally, when the page appears the scope 
options are greyed out and not editable, but by using the ask option the option is dark and the user can 
choose from the choice of: 

• User 

• User Group 

• iP Address 

• Duration Mode 

This option is availabie only in the "Aiiowed Blocked Overrides" variation. The Administrative Override 
sets a specified time frame that is aiways used for that override. The avaiiabie options from the drop 
down menu are: 

• Constant 

Using this setting will mean that what ever is set as the duration wiil be the iength of time that the 
override wiil be in effect, if the Duration variabie is set to 15 minutes the iength of the override will 
always be 15 minutes. The option will be visible in the Override message page but the setting will 
be greyed out. 

• Ask 

Using this setting will give the person the option of setting the duration to the override when it is 
engaged. The duration time which is greyed out if the Constant setting is used will be dark and 
editable. The user can set the duration in terms of Day, Hours and or Minutes. 

• Duration 

Duration is on of the areas where the two variations takes a different approach, on two aspects of the 
setting. As aiready indicated the "Administrative Override" oniy uses a static time frame there is no 
option for the user to select on the fly how long it will last. The other way in which the two variation differ 
is that the "Aiiow Biocked Overrides" starts the clock when the user logs in with his credentials. For 
example, if the duration is 1 hour and John initiates an override at 2:00 p.m. on January 1, at the end of 
that hour he will revert back to using the originai profile but he can go back and re-authenticate and start 
the process over again. The Administrative override variation starts the clock from when the override 
was configured, which is why is shows an expiration date and time when your are configuring it. 
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This option, which is avaiiable when the Duration Mode is set to Constant is the time in minutes that the 
override will last when engaged by the user. 

When setting up a constant duration in the Web Based Interface, minutes is the only option for units of 
time. To set a longer time frame or to use the units of hours or days you can use the CLi. 


config webfilter profile 

edit <name of webfilter profile> 
config override 

set ovrd-dur <###d##h##m> 

end 


When configuring the duration you don't have to set a vaiue for a unit you are not 
using. If you are not using days or hours you can use: 


set ovrd-dur 30m 


instead of: 



set ovrd-dur OdOhSOm 


However, each of the units of time variabie has their own maximum ievei: 


###d cannot be more than 364 
##h cannot be more than 23 
##m cannot be more than 59 


So the maximum iength that the override duration can be set to is 364 days, 23 
hours, and 59 minutes(a minute shy of 1 year). 


Using cookies to authenticate users in a Web Filter override 

Cookies can be used to authenticate users when a web filter override is used. This feature is available in CLI 
only. 


CLI Syntax: 

config webfilter cookie-ovrd 
set redir-host <name or IP> 
set redir-port <port> 
end 

config webfilter profile 
edit <name> 

config override 

set ovrd-cookie [allow | deny] 
set ovrd-scope [user | user-group | ip | ask] 
set profile-type [list | radius] 
set ovrd-dur-mode [constant | ask] 
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set ovrd-dur <duration> 
set ovrd-user-group <name> 
set profile <name> 

end 

end 

end 
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